Manualshelf

HP StorageWorks XPath OS 7.4.X Administrator Guide (AA-RVHDD-TE, February 2006)

ManualsBrandsHP ManualsStorageHP StorageWorks Multiprotocol Base 8-port Router
71727374757677787980
80 Using the iSCSI Gateway Service
Configuring CHAP
The iSCSI standard supports access control with CHAP. You can configure the iSCSI gateway to use
one-way authentication, where the target authenticates the initiator, or two-way authentication, where first
the target authenticates the initiator and then the initiator authenticates the target.
NOTE: The MP Router supports DH-CHAP only. It consists of the CHAP protocol combined with the
Diffie-Hellman exchange.
Configuring one-way authentication
Issue the following command to configure one-way authentication for the target:
iscsiauthcfg -i targetiqn -c secret1
where targetiqn is the IQN for the Fibre Channel target and secret1 is the shared secret.
Remember the shared secret; you need it to configure the iSCSI driver on the iSCSI initiator.
For example:
Configuring two-way authentication
1. Configure one-way authentication (secret1) as described in “Configuring one-way authentication.”
2. Issue the following command to configure authentication for the initiator:
iscsiauthcfg -i iscsihostiqn -c secret2
where iscsihostiqn is the IQN for the iSCSI initiator and secret2 is the shared secret, which must
be different from secret1.
Remember the shared secret; you need it to configure the iSCSI driver on the iSCSI initiator.
For example:
Removing a CHAP secret
Issue the following command:
iscsiauthcfg -d iqnname
where iqnname is the IQN of the initiator or the target.
To add or remove a DH-CHAP secret in Secure Fabric OS, see ”Configuring a secure XPath OS DH-CHAP
secret” on page 54.
Administering iSCSI configurations
When multiple iSCSI portals are defined on one MP Router, they share information, such as IQN-to-WWN
mapping and CHAP secrets. If you have iSCSI portals defined on more than one MP Router, you can use
the IP fabric configuration server (iFCS) to perform out-of-band sharing of iSCSI gateway configuration
information across the MP Routers. The iFCS function distributes the IQN-to-WWN mapping of each iSCSI
host and their shared CHAP secret configuration to all IP-aware switches in the fabric. This distribution
enables iSCSI hosts to move from one switch to another switch within a fabric.
The MP Router on which you enable iFCS—the primary iFCS router—distributes and synchronizes the
information to the other MP Routers, and continues to do so whenever there is a change in any IP storage
configuration.
router:admin> iscsiauthcfg -i iqn.2002-12.com.brocade:21000004cf4c54e9 -c
1234abcd1234
Create [iqn.2002-12.com.brocade:21000004cf4c54e9, ************] successful.
router:admin> iscsiauthcfg -i iqn.1991-05.com.microsoft:isi154110 -c 5678abcd5678
Create [iqn.1991-05.com.microsoft:isi154110, ************] successful.